Bug 1156318

Summary: HR authentication broken in cluster mode
Product: [JBoss] JBoss Data Grid 6 Reporter: Vojtech Juranek <vjuranek>
Component: ServerAssignee: Tristan Tarrant <ttarrant>
Status: CLOSED CURRENTRELEASE QA Contact: Martin Gencur <mgencur>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.3.1, 6.4.0CC: afield, jdg-bugs, slaskawi, vchintal
Target Milestone: ER3   
Target Release: 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1168237 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1153109, 1168237    

Description Vojtech Juranek 2014-10-24 07:53:53 UTC 
Description of problem:
When server cache is clustered, HR client is not able to authenticate itself even when using proper credentials. It seems that transport layer breaks authentication process. When local cache is used, everything works as expected.


How reproducible:
Always

Steps to Reproduce:
1. setup HR security (config sniplets are bellow)
2. use security for distributed or replicated cache
3. connect to this cache from HR client, using proper credentials

Actual results:
HR authentication fails with 
09:44:00,343 INFO  [org.infinispan.AUDIT] (HotRodServerWorker-1) [DENY] null ADMIN cache[securedcache]

Expected results:
HR client should be able to authenticate and read/write to cache according to the specified rights

Additional info:
HR server config:

            <hotrod-connector socket-binding="hotrod" cache-container="securedcachecontainer">
                <topology-state-transfer lazy-retrieval="false" lock-timeout="1000" replication-timeout="5000"/>
                <authentication security-realm="ApplicationRealm">
                    <sasl server-name="securedserver" mechanisms="DIGEST-MD5" qop="auth">
                        <policy>
                            <no-anonymous value="true"/>
                        </policy>
                        <property name="com.sun.security.sasl.digest.utf8">true</property>
                    </sasl>
                </authentication>  
            </hotrod-connector>




            <cache-container name="securedcachecontainer" default-cache="securedcache">
                <transport executor="infinispan-transport" lock-timeout="60000"/>
                <security>
                    <authorization>
                        <identity-role-mapper/>
                        <role name="admin" permissions="ALL" />
                        <role name="reader" permissions="READ BULK_READ"/>
                        <role name="writer" permissions="ALL" />
                        <role name="supervisor" permissions="READ WRITE EXEC" />
                    </authorization>
                </security>
                <replicated-cache name="securedcache" mode="SYNC" start="EAGER"  remote-timeout="30000" >
                    <security>
                        <authorization roles="admin reader writer" />
                    </security>
                </replicated-cache>
            </cache-container>
Comment 3 Sebastian Ɓaskawiec 2014-10-30 08:35:34 UTC 
PR: https://github.com/infinispan/jdg/pull/308